commit 912a283f7c0ab4df086145bc3107ce907e586845 Author: Harshavardhan Musanalli Date: Sat Aug 16 15:15:18 2025 +0200 Initial Commit diff --git a/c-lang/loader b/c-lang/loader new file mode 100755 index 0000000..4e10f02 Binary files /dev/null and b/c-lang/loader differ diff --git a/c-lang/loader.c b/c-lang/loader.c new file mode 100644 index 0000000..65b3430 --- /dev/null +++ b/c-lang/loader.c @@ -0,0 +1,77 @@ +#include +#include +#include +#include + +int main() { + struct bpf_object *obj; + struct bpf_program *prog; + struct bpf_link *link; + struct bpf_map *target_map; + int err; + const char *target_filename = "/tmp/testfile"; + int key = 0; + char value[256] = {0}; + + strncpy(value, target_filename, sizeof(value) - 1); + + obj = bpf_object__open_file("tracepoint.o", NULL); + if (!obj) { + fprintf(stderr, "Error opening BPF object\n"); + return 1; + } + + // Clean up any existing maps first + bpf_object__unpin_maps(obj, "/sys/fs/bpf"); + + err = bpf_object__load(obj); + if (err) { + fprintf(stderr, "Error loading BPF object\n"); + return 1; + } + + target_map = bpf_object__find_map_by_name(obj, "target_filename_map"); + if (!target_map) { + fprintf(stderr, "Error finding target_filename_map\n"); + bpf_object__close(obj); + return 1; + } + + err = bpf_map__update_elem(target_map, &key, sizeof(key), value, sizeof(value), BPF_ANY); + if (err) { + fprintf(stderr, "Error populating target_filename_map\n"); + bpf_object__close(obj); + return 1; + } + + prog = bpf_object__find_program_by_name(obj, "trace_openat"); + if (!prog) { + fprintf(stderr, "Error finding BPF program\n"); + bpf_object__close(obj); + return 1; + } + + link = bpf_program__attach(prog); + if (!link) { + fprintf(stderr, "Error attaching BPF program\n"); + bpf_object__close(obj); + return 1; + } + + err = bpf_object__pin_maps(obj, "/sys/fs/bpf"); + if (err) { + fprintf(stderr, "Error pinning BPF maps\n"); + bpf_link__destroy(link); + bpf_object__close(obj); + return 1; + } + + printf("BPF program loaded and maps pinned. Press Ctrl+C to exit.\n"); + + pause(); + + bpf_object__unpin_maps(obj, "/sys/fs/bpf"); + bpf_link__destroy(link); + bpf_object__close(obj); + return 0; +} \ No newline at end of file diff --git a/c-lang/monitor b/c-lang/monitor new file mode 100755 index 0000000..666ba78 Binary files /dev/null and b/c-lang/monitor differ diff --git a/c-lang/monitor.c b/c-lang/monitor.c new file mode 100644 index 0000000..d4bd3ff --- /dev/null +++ b/c-lang/monitor.c @@ -0,0 +1,45 @@ +#include +#include +#include +#include + +struct event { + __u32 pid; + __u32 uid; + char comm[16]; + char filename[256]; +}; + +// Simplified callback that actually works +static void handle_event(void *ctx, int cpu, void *data, unsigned int size) +{ + struct event *e = data; + printf("PID: %d, UID: %d, CMD: %s, FILE: %s\n", + e->pid, e->uid, e->comm, e->filename); +} + +int main() +{ + struct perf_buffer *pb; + int map_fd; + + map_fd = bpf_obj_get("/sys/fs/bpf/events"); + if (map_fd < 0) { + fprintf(stderr, "Failed to get BPF map\n"); + return 1; + } + + // This is the ONLY working syntax across all libbpf versions + pb = perf_buffer__new(map_fd, 8, handle_event, NULL, NULL, NULL); + if (!pb) { + fprintf(stderr, "Failed to create perf buffer\n"); + close(map_fd); + return 1; + } + + printf("Monitoring started. Ctrl+C to exit.\n"); + while (perf_buffer__poll(pb, 1000) >= 0); + + close(map_fd); + return 0; +} \ No newline at end of file diff --git a/c-lang/tracepoint.c b/c-lang/tracepoint.c new file mode 100644 index 0000000..92f0ef8 --- /dev/null +++ b/c-lang/tracepoint.c @@ -0,0 +1,66 @@ +#include +#include + +struct sys_enter_args { + unsigned long long unused; + long syscall_nr; + unsigned long args[6]; +}; + +struct event { + __u32 pid; + __u32 uid; + char comm[16]; + char filename[256]; +}; + +struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); + __uint(key_size, sizeof(int)); + __uint(value_size, sizeof(__u32)); +} events SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __uint(key_size, sizeof(int)); + __uint(value_size, 256); + __uint(max_entries, 1); + __uint(map_flags, BPF_F_RDONLY_PROG); // Critical: Makes map read-only for BPF programs +} target_filename_map SEC(".maps"); + +SEC("tracepoint/syscalls/sys_enter_openat") +int trace_openat(struct sys_enter_args *ctx) +{ + struct event e = {}; + char *target_filename; + int key = 0; + + // Read filename from syscall arguments + bpf_probe_read_user_str(e.filename, sizeof(e.filename), (void *)ctx->args[1]); + + // Get target filename from map + target_filename = bpf_map_lookup_elem(&target_filename_map, &key); + if (!target_filename) { + return 0; + } + + // Compare filenames - now safe because map is read-only + for (int i = 0; i < sizeof(e.filename); i++) { + if (e.filename[i] != target_filename[i]) { + return 0; // No match + } + if (e.filename[i] == 0 || target_filename[i] == 0) { + break; // End of string + } + } + + // If we get here, filenames match + e.pid = bpf_get_current_pid_tgid() >> 32; + e.uid = bpf_get_current_uid_gid(); + bpf_get_current_comm(&e.comm, sizeof(e.comm)); + + bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &e, sizeof(e)); + return 0; +} + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; \ No newline at end of file diff --git a/c-lang/tracepoint.o b/c-lang/tracepoint.o new file mode 100644 index 0000000..1b5aef2 Binary files /dev/null and b/c-lang/tracepoint.o differ diff --git a/fim-ebpf b/fim-ebpf new file mode 100755 index 0000000..8e4fc6f Binary files /dev/null and b/fim-ebpf differ diff --git a/gen.go b/gen.go new file mode 100644 index 0000000..04fc7f3 --- /dev/null +++ b/gen.go @@ -0,0 +1,5 @@ +package main + +import "C" + +//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -tags linux tracepoint tracepoint.c diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..a99e6b5 --- /dev/null +++ b/go.mod @@ -0,0 +1,7 @@ +module fim-ebpf + +go 1.24.2 + +require github.com/cilium/ebpf v0.19.0 + +require golang.org/x/sys v0.31.0 // indirect diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..35f27dd --- /dev/null +++ b/go.sum @@ -0,0 +1,26 @@ +github.com/cilium/ebpf v0.19.0 h1:Ro/rE64RmFBeA9FGjcTc+KmCeY6jXmryu6FfnzPRIao= +github.com/cilium/ebpf v0.19.0/go.mod h1:fLCgMo3l8tZmAdM3B2XqdFzXBpwkcSTroaVqN08OWVY= +github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6 h1:teYtXy9B7y5lHTp8V9KPxpYRAVA7dozigQcMiBust1s= +github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6/go.mod h1:p4lGIVX+8Wa6ZPNDvqcxq36XpUDLh42FLetFU7odllI= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA= +github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w= +github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM= +github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g= +github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw= +github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U= +github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= +github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= +golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= +golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= +golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= diff --git a/main.go b/main.go new file mode 100644 index 0000000..4c81077 --- /dev/null +++ b/main.go @@ -0,0 +1,102 @@ +package main + +import ( + "bytes" + "encoding/binary" + "errors" + "log" + "os" + "os/signal" + "syscall" + "unsafe" + + "github.com/cilium/ebpf/link" + "github.com/cilium/ebpf/perf" + "github.com/cilium/ebpf/rlimit" +) + +// event matches the C struct in your BPF program +type event struct { + Pid uint32 + Uid uint32 + Comm [16]byte + Filename [256]byte +} + +func main() { + // Allow the current process to lock memory for eBPF resources + if err := rlimit.RemoveMemlock(); err != nil { + log.Fatal(err) + } + + // Load the pre-compiled BPF program + objs := tracepointObjects{} + if err := loadTracepointObjects(&objs, nil); err != nil { + log.Fatalf("loading objects: %v", err) + } + defer objs.Close() + + // Populate the target filename map (critical part) + targetFilename := "/tmp/testfile\x00" // Null-terminated + var filenameBuf [256]byte + copy(filenameBuf[:], targetFilename) + + key := uint32(0) + if err := objs.TargetFilenameMap.Put(key, filenameBuf); err != nil { + log.Fatalf("putting target filename in map: %v", err) + } + + // Attach the tracepoint + tp, err := link.Tracepoint("syscalls", "sys_enter_openat", objs.TraceOpenat, nil) + if err != nil { + log.Fatalf("attaching tracepoint: %v", err) + } + defer tp.Close() + + // Set up perf event reader + rd, err := perf.NewReader(objs.Events, os.Getpagesize()) + if err != nil { + log.Fatalf("creating perf event reader: %v", err) + } + defer rd.Close() + + log.Println("Monitoring for openat() syscalls to /tmp/testfile...") + + // Graceful shutdown + sig := make(chan os.Signal, 1) + signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM) + + go func() { + for { + record, err := rd.Read() + if err != nil { + if errors.Is(err, perf.ErrClosed) { + return + } + log.Printf("reading from perf reader: %v", err) + continue + } + + if len(record.RawSample) < int(unsafe.Sizeof(event{})) { + log.Printf("invalid sample size: %d", len(record.RawSample)) + continue + } + + var e event + if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &e); err != nil { + log.Printf("parsing event: %v", err) + continue + } + + // Convert byte arrays to strings + comm := string(bytes.TrimRight(e.Comm[:], "\x00")) + filename := string(bytes.TrimRight(e.Filename[:], "\x00")) + + log.Printf("PID: %d, UID: %d, CMD: %s, FILE: %s", + e.Pid, e.Uid, comm, filename) + } + }() + + <-sig + log.Println("Shutting down...") +} diff --git a/main.go.bkp b/main.go.bkp new file mode 100644 index 0000000..edc7673 --- /dev/null +++ b/main.go.bkp @@ -0,0 +1,122 @@ +//go:build linux + +// This program demonstrates how to attach an eBPF program to a tracepoint. +// The program is attached to the syscall/sys_enter_openat tracepoint and +// prints out the integer 123 every time the syscall is entered. +package main + +import ( + "errors" + "log" + "os" + "os/signal" + "syscall" + + "github.com/cilium/ebpf" + "github.com/cilium/ebpf/asm" + "github.com/cilium/ebpf/link" + "github.com/cilium/ebpf/perf" + "github.com/cilium/ebpf/rlimit" +) + +// Metadata for the eBPF program used in this example. +var progSpec = &ebpf.ProgramSpec{ + Name: "fim_monitoring", // non-unique name, will appear in `bpftool prog list` while attached + Type: ebpf.TracePoint, // only TracePoint programs can be attached to trace events created by link.Tracepoint() + License: "GPL", // license must be GPL for calling kernel helpers like perf_event_output +} + +func main() { + + // Subscribe to signals for terminating the program. + stopper := make(chan os.Signal, 1) + signal.Notify(stopper, os.Interrupt, syscall.SIGTERM) + + // Allow the current process to lock memory for eBPF resources. + if err := rlimit.RemoveMemlock(); err != nil { + log.Fatal(err) + } + + // Create a perf event array for the kernel to write perf records to. + // These records will be read by userspace below. + events, err := ebpf.NewMap(&ebpf.MapSpec{ + Type: ebpf.PerfEventArray, + Name: "my_perf_array", + }) + if err != nil { + log.Fatalf("creating perf event array: %s", err) + } + defer events.Close() + + // Open a perf reader from userspace into the perf event array + // created earlier. + rd, err := perf.NewReader(events, os.Getpagesize()) + if err != nil { + log.Fatalf("creating event reader: %s", err) + } + defer rd.Close() + + // Close the reader when the process receives a signal, which will exit + // the read loop. + go func() { + <-stopper + rd.Close() + }() + + // Minimal program that writes the static value '123' to the perf ring on + // each event. Note that this program refers to the file descriptor of + // the perf event array created above, which needs to be created prior to the + // program being verified by and inserted into the kernel. + progSpec.Instructions = asm.Instructions{ + // store the integer 123 at FP[-8] + asm.Mov.Imm(asm.R2, 123), + asm.StoreMem(asm.RFP, -8, asm.R2, asm.Word), + + // load registers with arguments for call of FnPerfEventOutput + asm.LoadMapPtr(asm.R2, events.FD()), // file descriptor of the perf event array + asm.LoadImm(asm.R3, 0xffffffff, asm.DWord), + asm.Mov.Reg(asm.R4, asm.RFP), + asm.Add.Imm(asm.R4, -8), + asm.Mov.Imm(asm.R5, 4), + + // call FnPerfEventOutput, an eBPF kernel helper + asm.FnPerfEventOutput.Call(), + + // set exit code to 0 + asm.Mov.Imm(asm.R0, 0), + asm.Return(), + } + + // Instantiate and insert the program into the kernel. + prog, err := ebpf.NewProgram(progSpec) + if err != nil { + log.Fatalf("creating ebpf program: %s", err) + } + defer prog.Close() + + // Open a trace event based on a pre-existing kernel hook (tracepoint). + // Each time a userspace program uses the 'openat()' syscall, the eBPF + // program specified above will be executed and a '123' value will appear + // in the perf ring. + tp, err := link.Tracepoint("syscalls", "sys_enter_openat", prog, nil) + if err != nil { + log.Fatalf("opening tracepoint: %s", err) + } + defer tp.Close() + + log.Println("Waiting for events..") + + for { + record, err := rd.Read() + if err != nil { + if errors.Is(err, perf.ErrClosed) { + log.Println("Received signal, exiting..") + return + } + log.Printf("reading from reader: %s", err) + continue + } + + log.Println("Record:", record) + } +} diff --git a/probe.out b/probe.out new file mode 100644 index 0000000..7e0462f --- /dev/null +++ b/probe.out @@ -0,0 +1,2290 @@ +Scanning system configuration... +bpf() syscall restricted to privileged users (admin can change) +JIT compiler is enabled +JIT compiler hardening is disabled +JIT compiler kallsyms exports are enabled for root +Global memory limit for JIT compiler for unprivileged users is 528482304 bytes +CONFIG_BPF is set to y +CONFIG_BPF_SYSCALL is set to y +CONFIG_HAVE_EBPF_JIT is set to y +CONFIG_BPF_JIT is set to y +CONFIG_BPF_JIT_ALWAYS_ON is set to y +CONFIG_DEBUG_INFO_BTF is set to y +CONFIG_DEBUG_INFO_BTF_MODULES is set to y +CONFIG_CGROUPS is set to y +CONFIG_CGROUP_BPF is set to y +CONFIG_CGROUP_NET_CLASSID is set to y +CONFIG_SOCK_CGROUP_DATA is set to y +CONFIG_BPF_EVENTS is set to y +CONFIG_KPROBE_EVENTS is set to y +CONFIG_UPROBE_EVENTS is set to y +CONFIG_TRACING is set to y +CONFIG_FTRACE_SYSCALLS is set to y +CONFIG_FUNCTION_ERROR_INJECTION is set to y +CONFIG_BPF_KPROBE_OVERRIDE is set to y +CONFIG_NET is set to y +CONFIG_XDP_SOCKETS is set to y +CONFIG_LWTUNNEL_BPF is set to y +CONFIG_NET_ACT_BPF is set to m +CONFIG_NET_CLS_BPF is set to m +CONFIG_NET_CLS_ACT is set to y +CONFIG_NET_SCH_INGRESS is set to m +CONFIG_XFRM is set to y +CONFIG_IP_ROUTE_CLASSID is set to y +CONFIG_IPV6_SEG6_BPF is set to y +CONFIG_BPF_LIRC_MODE2 is not set +CONFIG_BPF_STREAM_PARSER is set to y +CONFIG_NETFILTER_XT_MATCH_BPF is set to m +CONFIG_TEST_BPF is set to m +CONFIG_HZ is set to 1000 + +Scanning system call availability... +bpf() syscall is available + +Scanning eBPF program types... +eBPF program_type socket_filter is available +eBPF program_type kprobe is available +eBPF program_type sched_cls is available +eBPF program_type sched_act is available +eBPF program_type tracepoint is available +eBPF program_type xdp is available +eBPF program_type perf_event is available +eBPF program_type cgroup_skb is available +eBPF program_type cgroup_sock is available +eBPF program_type lwt_in is available +eBPF program_type lwt_out is available +eBPF program_type lwt_xmit is available +eBPF program_type sock_ops is available +eBPF program_type sk_skb is available +eBPF program_type cgroup_device is available +eBPF program_type sk_msg is available +eBPF program_type raw_tracepoint is available +eBPF program_type cgroup_sock_addr is available +eBPF program_type lwt_seg6local is available +eBPF program_type lirc_mode2 is NOT available +eBPF program_type sk_reuseport is available +eBPF program_type flow_dissector is available +eBPF program_type cgroup_sysctl is available +eBPF program_type raw_tracepoint_writable is available +eBPF program_type cgroup_sockopt is available +eBPF program_type tracing is available +eBPF program_type struct_ops is available +eBPF program_type ext is available +eBPF program_type lsm is available +eBPF program_type sk_lookup is available +eBPF program_type syscall is available +eBPF program_type netfilter is available + +Scanning eBPF map types... +eBPF map_type hash is available +eBPF map_type array is available +eBPF map_type prog_array is available +eBPF map_type perf_event_array is available +eBPF map_type percpu_hash is available +eBPF map_type percpu_array is available +eBPF map_type stack_trace is available +eBPF map_type cgroup_array is available +eBPF map_type lru_hash is available +eBPF map_type lru_percpu_hash is available +eBPF map_type lpm_trie is available +eBPF map_type array_of_maps is available +eBPF map_type hash_of_maps is available +eBPF map_type devmap is available +eBPF map_type sockmap is available +eBPF map_type cpumap is available +eBPF map_type xskmap is available +eBPF map_type sockhash is available +eBPF map_type cgroup_storage is available +eBPF map_type reuseport_sockarray is available +eBPF map_type percpu_cgroup_storage is available +eBPF map_type queue is available +eBPF map_type stack is available +eBPF map_type sk_storage is available +eBPF map_type devmap_hash is available +eBPF map_type struct_ops is available +eBPF map_type ringbuf is available +eBPF map_type inode_storage is available +eBPF map_type task_storage is available +eBPF map_type bloom_filter is available +eBPF map_type user_ringbuf is available +eBPF map_type cgrp_storage is available +eBPF map_type arena is available + +Scanning eBPF helper functions... +eBPF helpers supported for program type socket_filter: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_get_socket_cookie + - bpf_get_socket_uid + - bpf_skb_load_bytes_relative + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type kprobe: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_probe_read + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_perf_event_read + - bpf_perf_event_output + - bpf_get_stackid + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_probe_read_str + - bpf_perf_event_read_value + - bpf_override_return + - bpf_get_stack + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_send_signal + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_send_signal_thread + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_get_task_stack + - bpf_copy_from_user + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_task_storage_get + - bpf_task_storage_delete + - bpf_get_current_task_btf + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_get_func_ip + - bpf_get_attach_cookie + - bpf_task_pt_regs + - bpf_get_branch_snapshot + - bpf_find_vma + - bpf_loop + - bpf_strncmp + - bpf_copy_from_user_task + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type sched_cls: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_skb_store_bytes + - bpf_l3_csum_replace + - bpf_l4_csum_replace + - bpf_tail_call + - bpf_clone_redirect + - bpf_get_current_pid_tgid + - bpf_get_cgroup_classid + - bpf_skb_vlan_push + - bpf_skb_vlan_pop + - bpf_skb_get_tunnel_key + - bpf_skb_set_tunnel_key + - bpf_redirect + - bpf_get_route_realm + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_csum_diff + - bpf_skb_get_tunnel_opt + - bpf_skb_set_tunnel_opt + - bpf_skb_change_proto + - bpf_skb_change_type + - bpf_skb_under_cgroup + - bpf_get_hash_recalc + - bpf_get_current_task + - bpf_skb_change_tail + - bpf_skb_pull_data + - bpf_csum_update + - bpf_set_hash_invalid + - bpf_get_numa_node_id + - bpf_skb_change_head + - bpf_get_socket_cookie + - bpf_get_socket_uid + - bpf_set_hash + - bpf_skb_adjust_room + - bpf_skb_get_xfrm_state + - bpf_skb_load_bytes_relative + - bpf_fib_lookup + - bpf_skb_cgroup_id + - bpf_get_current_cgroup_id + - bpf_skb_ancestor_cgroup_id + - bpf_sk_lookup_tcp + - bpf_sk_lookup_udp + - bpf_sk_release + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_sk_fullsock + - bpf_tcp_sock + - bpf_skb_ecn_set_ce + - bpf_get_listener_sock + - bpf_skc_lookup_tcp + - bpf_tcp_check_syncookie + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_sk_storage_delete + - bpf_tcp_gen_syncookie + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_netns_cookie + - bpf_get_current_ancestor_cgroup_id + - bpf_sk_assign + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_csum_level + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_skb_cgroup_classid + - bpf_redirect_neigh + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_redirect_peer + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_check_mtu + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_skb_set_tstamp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_tcp_raw_gen_syncookie_ipv4 + - bpf_tcp_raw_gen_syncookie_ipv6 + - bpf_tcp_raw_check_syncookie_ipv4 + - bpf_tcp_raw_check_syncookie_ipv6 + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type sched_act: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_skb_store_bytes + - bpf_l3_csum_replace + - bpf_l4_csum_replace + - bpf_tail_call + - bpf_clone_redirect + - bpf_get_current_pid_tgid + - bpf_get_cgroup_classid + - bpf_skb_vlan_push + - bpf_skb_vlan_pop + - bpf_skb_get_tunnel_key + - bpf_skb_set_tunnel_key + - bpf_redirect + - bpf_get_route_realm + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_csum_diff + - bpf_skb_get_tunnel_opt + - bpf_skb_set_tunnel_opt + - bpf_skb_change_proto + - bpf_skb_change_type + - bpf_skb_under_cgroup + - bpf_get_hash_recalc + - bpf_get_current_task + - bpf_skb_change_tail + - bpf_skb_pull_data + - bpf_csum_update + - bpf_set_hash_invalid + - bpf_get_numa_node_id + - bpf_skb_change_head + - bpf_get_socket_cookie + - bpf_get_socket_uid + - bpf_set_hash + - bpf_skb_adjust_room + - bpf_skb_get_xfrm_state + - bpf_skb_load_bytes_relative + - bpf_fib_lookup + - bpf_skb_cgroup_id + - bpf_get_current_cgroup_id + - bpf_skb_ancestor_cgroup_id + - bpf_sk_lookup_tcp + - bpf_sk_lookup_udp + - bpf_sk_release + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_sk_fullsock + - bpf_tcp_sock + - bpf_skb_ecn_set_ce + - bpf_get_listener_sock + - bpf_skc_lookup_tcp + - bpf_tcp_check_syncookie + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_sk_storage_delete + - bpf_tcp_gen_syncookie + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_netns_cookie + - bpf_get_current_ancestor_cgroup_id + - bpf_sk_assign + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_csum_level + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_skb_cgroup_classid + - bpf_redirect_neigh + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_redirect_peer + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_check_mtu + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_skb_set_tstamp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_tcp_raw_gen_syncookie_ipv4 + - bpf_tcp_raw_gen_syncookie_ipv6 + - bpf_tcp_raw_check_syncookie_ipv4 + - bpf_tcp_raw_check_syncookie_ipv6 + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type tracepoint: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_probe_read + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_perf_event_read + - bpf_perf_event_output + - bpf_get_stackid + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_probe_read_str + - bpf_perf_event_read_value + - bpf_get_stack + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_send_signal + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_send_signal_thread + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_get_task_stack + - bpf_copy_from_user + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_task_storage_get + - bpf_task_storage_delete + - bpf_get_current_task_btf + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_get_func_ip + - bpf_get_attach_cookie + - bpf_task_pt_regs + - bpf_get_branch_snapshot + - bpf_find_vma + - bpf_loop + - bpf_strncmp + - bpf_copy_from_user_task + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type xdp: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_redirect + - bpf_perf_event_output + - bpf_csum_diff + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_xdp_adjust_head + - bpf_redirect_map + - bpf_xdp_adjust_meta + - bpf_xdp_adjust_tail + - bpf_fib_lookup + - bpf_get_current_cgroup_id + - bpf_sk_lookup_tcp + - bpf_sk_lookup_udp + - bpf_sk_release + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_skc_lookup_tcp + - bpf_tcp_check_syncookie + - bpf_strtol + - bpf_strtoul + - bpf_tcp_gen_syncookie + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_check_mtu + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_xdp_get_buff_len + - bpf_xdp_load_bytes + - bpf_xdp_store_bytes + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_tcp_raw_gen_syncookie_ipv4 + - bpf_tcp_raw_gen_syncookie_ipv6 + - bpf_tcp_raw_check_syncookie_ipv4 + - bpf_tcp_raw_check_syncookie_ipv6 + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type perf_event: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_probe_read + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_perf_event_read + - bpf_perf_event_output + - bpf_get_stackid + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_probe_read_str + - bpf_perf_event_read_value + - bpf_perf_prog_read_value + - bpf_get_stack + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_send_signal + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_send_signal_thread + - bpf_jiffies64 + - bpf_read_branch_records + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_get_task_stack + - bpf_copy_from_user + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_task_storage_get + - bpf_task_storage_delete + - bpf_get_current_task_btf + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_get_func_ip + - bpf_get_attach_cookie + - bpf_task_pt_regs + - bpf_get_branch_snapshot + - bpf_find_vma + - bpf_loop + - bpf_strncmp + - bpf_copy_from_user_task + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type cgroup_skb: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_get_socket_cookie + - bpf_get_socket_uid + - bpf_skb_load_bytes_relative + - bpf_skb_cgroup_id + - bpf_get_current_cgroup_id + - bpf_get_local_storage + - bpf_skb_ancestor_cgroup_id + - bpf_sk_lookup_tcp + - bpf_sk_lookup_udp + - bpf_sk_release + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_sk_fullsock + - bpf_tcp_sock + - bpf_skb_ecn_set_ce + - bpf_get_listener_sock + - bpf_skc_lookup_tcp + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_sk_storage_delete + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_sk_cgroup_id + - bpf_sk_ancestor_cgroup_id + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type cgroup_sock: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_get_cgroup_classid + - bpf_perf_event_output + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_get_socket_cookie + - bpf_get_current_cgroup_id + - bpf_get_local_storage + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_netns_cookie + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_loop + - bpf_strncmp + - bpf_get_retval + - bpf_set_retval + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type lwt_in: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_cgroup_classid + - bpf_get_route_realm + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_csum_diff + - bpf_skb_under_cgroup + - bpf_get_hash_recalc + - bpf_get_current_task + - bpf_skb_pull_data + - bpf_get_numa_node_id + - bpf_lwt_push_encap + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type lwt_out: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_cgroup_classid + - bpf_get_route_realm + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_csum_diff + - bpf_skb_under_cgroup + - bpf_get_hash_recalc + - bpf_get_current_task + - bpf_skb_pull_data + - bpf_get_numa_node_id + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type lwt_xmit: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_skb_store_bytes + - bpf_l3_csum_replace + - bpf_l4_csum_replace + - bpf_tail_call + - bpf_clone_redirect + - bpf_get_current_pid_tgid + - bpf_get_cgroup_classid + - bpf_skb_get_tunnel_key + - bpf_skb_set_tunnel_key + - bpf_redirect + - bpf_get_route_realm + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_csum_diff + - bpf_skb_get_tunnel_opt + - bpf_skb_set_tunnel_opt + - bpf_skb_under_cgroup + - bpf_get_hash_recalc + - bpf_get_current_task + - bpf_skb_change_tail + - bpf_skb_pull_data + - bpf_csum_update + - bpf_set_hash_invalid + - bpf_get_numa_node_id + - bpf_skb_change_head + - bpf_lwt_push_encap + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_csum_level + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type sock_ops: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_perf_event_output + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_get_socket_cookie + - bpf_setsockopt + - bpf_sock_map_update + - bpf_getsockopt + - bpf_sock_ops_cb_flags_set + - bpf_sock_hash_update + - bpf_get_current_cgroup_id + - bpf_get_local_storage + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_tcp_sock + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_sk_storage_delete + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_netns_cookie + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_load_hdr_opt + - bpf_store_hdr_opt + - bpf_reserve_hdr_opt + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type sk_skb: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_skb_store_bytes + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_get_current_task + - bpf_skb_change_tail + - bpf_skb_pull_data + - bpf_get_numa_node_id + - bpf_skb_change_head + - bpf_get_socket_cookie + - bpf_get_socket_uid + - bpf_skb_adjust_room + - bpf_sk_redirect_map + - bpf_sk_redirect_hash + - bpf_get_current_cgroup_id + - bpf_sk_lookup_tcp + - bpf_sk_lookup_udp + - bpf_sk_release + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_skc_lookup_tcp + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type cgroup_device: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_get_cgroup_classid + - bpf_perf_event_output + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_get_current_cgroup_id + - bpf_get_local_storage + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type sk_msg: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_cgroup_classid + - bpf_perf_event_output + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_msg_redirect_map + - bpf_msg_apply_bytes + - bpf_msg_cork_bytes + - bpf_msg_pull_data + - bpf_msg_redirect_hash + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_msg_push_data + - bpf_msg_pop_data + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_sk_storage_delete + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_netns_cookie + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type raw_tracepoint: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_probe_read + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_perf_event_read + - bpf_perf_event_output + - bpf_get_stackid + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_probe_read_str + - bpf_perf_event_read_value + - bpf_get_stack + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_send_signal + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_send_signal_thread + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_get_task_stack + - bpf_copy_from_user + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_task_storage_get + - bpf_task_storage_delete + - bpf_get_current_task_btf + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_get_func_ip + - bpf_get_attach_cookie + - bpf_task_pt_regs + - bpf_get_branch_snapshot + - bpf_find_vma + - bpf_loop + - bpf_strncmp + - bpf_copy_from_user_task + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type cgroup_sock_addr: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_get_cgroup_classid + - bpf_perf_event_output + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_get_socket_cookie + - bpf_setsockopt + - bpf_getsockopt + - bpf_bind + - bpf_get_current_cgroup_id + - bpf_get_local_storage + - bpf_sk_lookup_tcp + - bpf_sk_lookup_udp + - bpf_sk_release + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_skc_lookup_tcp + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_sk_storage_delete + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_netns_cookie + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_get_retval + - bpf_set_retval + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type lwt_seg6local: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_cgroup_classid + - bpf_get_route_realm + - bpf_perf_event_output + - bpf_skb_load_bytes + - bpf_csum_diff + - bpf_skb_under_cgroup + - bpf_get_hash_recalc + - bpf_get_current_task + - bpf_skb_pull_data + - bpf_get_numa_node_id + - bpf_lwt_seg6_store_bytes + - bpf_lwt_seg6_adjust_srh + - bpf_lwt_seg6_action + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type lirc_mode2: + Program type not supported +eBPF helpers supported for program type sk_reuseport: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_skb_load_bytes + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_get_socket_cookie + - bpf_skb_load_bytes_relative + - bpf_get_current_cgroup_id + - bpf_sk_select_reuseport + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type flow_dissector: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_skb_load_bytes + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type cgroup_sysctl: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_get_cgroup_classid + - bpf_perf_event_output + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_get_current_cgroup_id + - bpf_get_local_storage + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_sysctl_get_name + - bpf_sysctl_get_current_value + - bpf_sysctl_get_new_value + - bpf_sysctl_set_new_value + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type raw_tracepoint_writable: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_probe_read + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_perf_event_read + - bpf_perf_event_output + - bpf_get_stackid + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_probe_read_str + - bpf_perf_event_read_value + - bpf_get_stack + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_send_signal + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_send_signal_thread + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_get_task_stack + - bpf_copy_from_user + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_task_storage_get + - bpf_task_storage_delete + - bpf_get_current_task_btf + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_get_func_ip + - bpf_get_attach_cookie + - bpf_task_pt_regs + - bpf_get_branch_snapshot + - bpf_find_vma + - bpf_loop + - bpf_strncmp + - bpf_copy_from_user_task + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type cgroup_sockopt: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_get_cgroup_classid + - bpf_perf_event_output + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_get_current_cgroup_id + - bpf_get_local_storage + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_tcp_sock + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_sk_storage_delete + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_netns_cookie + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_loop + - bpf_strncmp + - bpf_get_retval + - bpf_set_retval + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type tracing: + Could not determine which helpers are available +eBPF helpers supported for program type struct_ops: + Could not determine which helpers are available +eBPF helpers supported for program type ext: + Could not determine which helpers are available +eBPF helpers supported for program type lsm: + Could not determine which helpers are available +eBPF helpers supported for program type sk_lookup: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_perf_event_output + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_get_current_cgroup_id + - bpf_sk_release + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_sk_assign + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_ktime_get_coarse_ns + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_skc_to_unix_sock + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type syscall: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_probe_read + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_uid_gid + - bpf_get_current_comm + - bpf_perf_event_read + - bpf_perf_event_output + - bpf_get_stackid + - bpf_get_current_task + - bpf_current_task_under_cgroup + - bpf_get_numa_node_id + - bpf_probe_read_str + - bpf_get_socket_cookie + - bpf_perf_event_read_value + - bpf_get_stack + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_sk_storage_get + - bpf_sk_storage_delete + - bpf_send_signal + - bpf_skb_output + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_send_signal_thread + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_xdp_output + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_skc_to_tcp6_sock + - bpf_skc_to_tcp_sock + - bpf_skc_to_tcp_timewait_sock + - bpf_skc_to_tcp_request_sock + - bpf_skc_to_udp6_sock + - bpf_get_task_stack + - bpf_d_path + - bpf_copy_from_user + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_task_storage_get + - bpf_task_storage_delete + - bpf_get_current_task_btf + - bpf_sock_from_file + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_sys_bpf + - bpf_btf_find_by_name_kind + - bpf_sys_close + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_get_func_ip + - bpf_task_pt_regs + - bpf_get_branch_snapshot + - bpf_skc_to_unix_sock + - bpf_kallsyms_lookup_name + - bpf_find_vma + - bpf_loop + - bpf_strncmp + - bpf_xdp_get_buff_len + - bpf_copy_from_user_task + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_skc_to_mptcp_sock + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete +eBPF helpers supported for program type netfilter: + - bpf_map_lookup_elem + - bpf_map_update_elem + - bpf_map_delete_elem + - bpf_ktime_get_ns + - bpf_get_prandom_u32 + - bpf_get_smp_processor_id + - bpf_tail_call + - bpf_get_current_pid_tgid + - bpf_get_current_task + - bpf_get_numa_node_id + - bpf_get_current_cgroup_id + - bpf_map_push_elem + - bpf_map_pop_elem + - bpf_map_peek_elem + - bpf_spin_lock + - bpf_spin_unlock + - bpf_strtol + - bpf_strtoul + - bpf_probe_read_user + - bpf_probe_read_kernel + - bpf_probe_read_user_str + - bpf_probe_read_kernel_str + - bpf_jiffies64 + - bpf_get_ns_current_pid_tgid + - bpf_get_current_ancestor_cgroup_id + - bpf_ktime_get_boot_ns + - bpf_ringbuf_output + - bpf_ringbuf_reserve + - bpf_ringbuf_submit + - bpf_ringbuf_discard + - bpf_ringbuf_query + - bpf_snprintf_btf + - bpf_per_cpu_ptr + - bpf_this_cpu_ptr + - bpf_get_current_task_btf + - bpf_for_each_map_elem + - bpf_snprintf + - bpf_timer_init + - bpf_timer_set_callback + - bpf_timer_start + - bpf_timer_cancel + - bpf_task_pt_regs + - bpf_loop + - bpf_strncmp + - bpf_kptr_xchg + - bpf_map_lookup_percpu_elem + - bpf_dynptr_from_mem + - bpf_ringbuf_reserve_dynptr + - bpf_ringbuf_submit_dynptr + - bpf_ringbuf_discard_dynptr + - bpf_dynptr_read + - bpf_dynptr_write + - bpf_dynptr_data + - bpf_ktime_get_tai_ns + - bpf_user_ringbuf_drain + - bpf_cgrp_storage_get + - bpf_cgrp_storage_delete + +Scanning miscellaneous eBPF features... +Large program size limit is available +Bounded loop support is available +ISA extension v2 is available +ISA extension v3 is available +ISA extension v4 is available + diff --git a/tracepoint.c b/tracepoint.c new file mode 100644 index 0000000..459dd33 --- /dev/null +++ b/tracepoint.c @@ -0,0 +1,71 @@ +#include +#include +#include + +struct sys_enter_args { + unsigned long long unused; + long syscall_nr; + unsigned long args[6]; +}; + +struct event { + __u32 pid; + __u32 uid; + char comm[16]; + char filename[256]; +}; + +struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); + __uint(key_size, sizeof(int)); + __uint(value_size, sizeof(int)); + __uint(max_entries, 1024); +} events SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(key_size, sizeof(int)); + __uint(value_size, 256); // Max filename length + __uint(max_entries, 1); +} target_filename_map SEC(".maps"); + +SEC("tracepoint/syscalls/sys_enter_openat") +int trace_openat(struct sys_enter_args *ctx) +{ + int zero = 0; + char *target = bpf_map_lookup_elem(&target_filename_map, &zero); + if (!target) { + return 0; + } + + struct event e = {}; + long ret; + + // Read filename safely + ret = bpf_probe_read_user_str(e.filename, sizeof(e.filename), (void *)ctx->args[1]); + if (ret <= 0) { + return 0; + } + + // Compare strings properly + for (int i = 0; i < sizeof(e.filename); i++) { + if (e.filename[i] != target[i]) { + return 0; + } + // Stop at null terminator + if (e.filename[i] == '\0') { + break; + } + } + + // Fill event data + e.pid = bpf_get_current_pid_tgid() >> 32; + e.uid = bpf_get_current_uid_gid(); + bpf_get_current_comm(&e.comm, sizeof(e.comm)); + + // Submit event + bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &e, sizeof(e)); + return 0; +} + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; \ No newline at end of file diff --git a/tracepoint.c.bkp b/tracepoint.c.bkp new file mode 100644 index 0000000..5bbd3c2 --- /dev/null +++ b/tracepoint.c.bkp @@ -0,0 +1,40 @@ +//go:build ignore + +#include "common.h" + +char __license[] SEC("license") = "Dual MIT/GPL"; + +struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __type(key, u32); + __type(value, u64); + __uint(max_entries, 1); +} counting_map SEC(".maps"); + +// This struct is defined according to the following format file: +// /sys/kernel/tracing/events/kmem/mm_page_alloc/format +struct alloc_info { + /* The first 8 bytes is not allowed to read */ + unsigned long pad; + + unsigned long pfn; + unsigned int order; + unsigned int gfp_flags; + int migratetype; +}; + +// This tracepoint is defined in mm/page_alloc.c:__alloc_pages_nodemask() +// Userspace pathname: /sys/kernel/tracing/events/kmem/mm_page_alloc +SEC("tracepoint/kmem/mm_page_alloc") +int mm_page_alloc(struct alloc_info *info) { + u32 key = 0; + u64 initval = 1, *valp; + + valp = bpf_map_lookup_elem(&counting_map, &key); + if (!valp) { + bpf_map_update_elem(&counting_map, &key, &initval, BPF_ANY); + return 0; + } + __sync_fetch_and_add(valp, 1); + return 0; +} \ No newline at end of file diff --git a/tracepoint.o b/tracepoint.o new file mode 100644 index 0000000..1270358 Binary files /dev/null and b/tracepoint.o differ diff --git a/tracepoint_bpfeb.go b/tracepoint_bpfeb.go new file mode 100644 index 0000000..4b85be8 --- /dev/null +++ b/tracepoint_bpfeb.go @@ -0,0 +1,136 @@ +// Code generated by bpf2go; DO NOT EDIT. +//go:build (mips || mips64 || ppc64 || s390x) && linux + +package main + +import ( + "bytes" + _ "embed" + "fmt" + "io" + + "github.com/cilium/ebpf" +) + +// loadTracepoint returns the embedded CollectionSpec for tracepoint. +func loadTracepoint() (*ebpf.CollectionSpec, error) { + reader := bytes.NewReader(_TracepointBytes) + spec, err := ebpf.LoadCollectionSpecFromReader(reader) + if err != nil { + return nil, fmt.Errorf("can't load tracepoint: %w", err) + } + + return spec, err +} + +// loadTracepointObjects loads tracepoint and converts it into a struct. +// +// The following types are suitable as obj argument: +// +// *tracepointObjects +// *tracepointPrograms +// *tracepointMaps +// +// See ebpf.CollectionSpec.LoadAndAssign documentation for details. +func loadTracepointObjects(obj interface{}, opts *ebpf.CollectionOptions) error { + spec, err := loadTracepoint() + if err != nil { + return err + } + + return spec.LoadAndAssign(obj, opts) +} + +// tracepointSpecs contains maps and programs before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type tracepointSpecs struct { + tracepointProgramSpecs + tracepointMapSpecs + tracepointVariableSpecs +} + +// tracepointProgramSpecs contains programs before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type tracepointProgramSpecs struct { + TraceOpenat *ebpf.ProgramSpec `ebpf:"trace_openat"` +} + +// tracepointMapSpecs contains maps before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type tracepointMapSpecs struct { + Events *ebpf.MapSpec `ebpf:"events"` + TargetFilenameMap *ebpf.MapSpec `ebpf:"target_filename_map"` +} + +// tracepointVariableSpecs contains global variables before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type tracepointVariableSpecs struct { +} + +// tracepointObjects contains all objects after they have been loaded into the kernel. +// +// It can be passed to loadTracepointObjects or ebpf.CollectionSpec.LoadAndAssign. +type tracepointObjects struct { + tracepointPrograms + tracepointMaps + tracepointVariables +} + +func (o *tracepointObjects) Close() error { + return _TracepointClose( + &o.tracepointPrograms, + &o.tracepointMaps, + ) +} + +// tracepointMaps contains all maps after they have been loaded into the kernel. +// +// It can be passed to loadTracepointObjects or ebpf.CollectionSpec.LoadAndAssign. +type tracepointMaps struct { + Events *ebpf.Map `ebpf:"events"` + TargetFilenameMap *ebpf.Map `ebpf:"target_filename_map"` +} + +func (m *tracepointMaps) Close() error { + return _TracepointClose( + m.Events, + m.TargetFilenameMap, + ) +} + +// tracepointVariables contains all global variables after they have been loaded into the kernel. +// +// It can be passed to loadTracepointObjects or ebpf.CollectionSpec.LoadAndAssign. +type tracepointVariables struct { +} + +// tracepointPrograms contains all programs after they have been loaded into the kernel. +// +// It can be passed to loadTracepointObjects or ebpf.CollectionSpec.LoadAndAssign. +type tracepointPrograms struct { + TraceOpenat *ebpf.Program `ebpf:"trace_openat"` +} + +func (p *tracepointPrograms) Close() error { + return _TracepointClose( + p.TraceOpenat, + ) +} + +func _TracepointClose(closers ...io.Closer) error { + for _, closer := range closers { + if err := closer.Close(); err != nil { + return err + } + } + return nil +} + +// Do not access this directly. +// +//go:embed tracepoint_bpfeb.o +var _TracepointBytes []byte diff --git a/tracepoint_bpfeb.o b/tracepoint_bpfeb.o new file mode 100644 index 0000000..e0fa909 Binary files /dev/null and b/tracepoint_bpfeb.o differ diff --git a/tracepoint_bpfel.go b/tracepoint_bpfel.go new file mode 100644 index 0000000..9fe8dc9 --- /dev/null +++ b/tracepoint_bpfel.go @@ -0,0 +1,136 @@ +// Code generated by bpf2go; DO NOT EDIT. +//go:build (386 || amd64 || arm || arm64 || loong64 || mips64le || mipsle || ppc64le || riscv64 || wasm) && linux + +package main + +import ( + "bytes" + _ "embed" + "fmt" + "io" + + "github.com/cilium/ebpf" +) + +// loadTracepoint returns the embedded CollectionSpec for tracepoint. +func loadTracepoint() (*ebpf.CollectionSpec, error) { + reader := bytes.NewReader(_TracepointBytes) + spec, err := ebpf.LoadCollectionSpecFromReader(reader) + if err != nil { + return nil, fmt.Errorf("can't load tracepoint: %w", err) + } + + return spec, err +} + +// loadTracepointObjects loads tracepoint and converts it into a struct. +// +// The following types are suitable as obj argument: +// +// *tracepointObjects +// *tracepointPrograms +// *tracepointMaps +// +// See ebpf.CollectionSpec.LoadAndAssign documentation for details. +func loadTracepointObjects(obj interface{}, opts *ebpf.CollectionOptions) error { + spec, err := loadTracepoint() + if err != nil { + return err + } + + return spec.LoadAndAssign(obj, opts) +} + +// tracepointSpecs contains maps and programs before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type tracepointSpecs struct { + tracepointProgramSpecs + tracepointMapSpecs + tracepointVariableSpecs +} + +// tracepointProgramSpecs contains programs before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type tracepointProgramSpecs struct { + TraceOpenat *ebpf.ProgramSpec `ebpf:"trace_openat"` +} + +// tracepointMapSpecs contains maps before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type tracepointMapSpecs struct { + Events *ebpf.MapSpec `ebpf:"events"` + TargetFilenameMap *ebpf.MapSpec `ebpf:"target_filename_map"` +} + +// tracepointVariableSpecs contains global variables before they are loaded into the kernel. +// +// It can be passed ebpf.CollectionSpec.Assign. +type tracepointVariableSpecs struct { +} + +// tracepointObjects contains all objects after they have been loaded into the kernel. +// +// It can be passed to loadTracepointObjects or ebpf.CollectionSpec.LoadAndAssign. +type tracepointObjects struct { + tracepointPrograms + tracepointMaps + tracepointVariables +} + +func (o *tracepointObjects) Close() error { + return _TracepointClose( + &o.tracepointPrograms, + &o.tracepointMaps, + ) +} + +// tracepointMaps contains all maps after they have been loaded into the kernel. +// +// It can be passed to loadTracepointObjects or ebpf.CollectionSpec.LoadAndAssign. +type tracepointMaps struct { + Events *ebpf.Map `ebpf:"events"` + TargetFilenameMap *ebpf.Map `ebpf:"target_filename_map"` +} + +func (m *tracepointMaps) Close() error { + return _TracepointClose( + m.Events, + m.TargetFilenameMap, + ) +} + +// tracepointVariables contains all global variables after they have been loaded into the kernel. +// +// It can be passed to loadTracepointObjects or ebpf.CollectionSpec.LoadAndAssign. +type tracepointVariables struct { +} + +// tracepointPrograms contains all programs after they have been loaded into the kernel. +// +// It can be passed to loadTracepointObjects or ebpf.CollectionSpec.LoadAndAssign. +type tracepointPrograms struct { + TraceOpenat *ebpf.Program `ebpf:"trace_openat"` +} + +func (p *tracepointPrograms) Close() error { + return _TracepointClose( + p.TraceOpenat, + ) +} + +func _TracepointClose(closers ...io.Closer) error { + for _, closer := range closers { + if err := closer.Close(); err != nil { + return err + } + } + return nil +} + +// Do not access this directly. +// +//go:embed tracepoint_bpfel.o +var _TracepointBytes []byte diff --git a/tracepoint_bpfel.o b/tracepoint_bpfel.o new file mode 100644 index 0000000..f3abd6f Binary files /dev/null and b/tracepoint_bpfel.o differ